[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

source-root is not applied in SARIF output #1147

Open
meriouma opened this issue Jul 20, 2022 · 4 comments
Open

source-root is not applied in SARIF output #1147

meriouma opened this issue Jul 20, 2022 · 4 comments
Labels
enhancement New feature or request

Comments

@meriouma
Copy link

I'm not sure if I got the doc wrong, but I have a project with multiple folders and when running CodeQL on a single sub-folder using source-root like this :

runs:
  using: composite
  steps:
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ inputs.languages }}
        source-root: packages/react

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
      with:
        category: ${{ inputs.category }}
        checkout_path: packages/react # Tried with or without this

In the sarif output, the artifactLocation.uri properties are relative to packages/react, which once uploaded to Github code scanning, yields invalid paths in the repository, as they are relative from the source-root, instead of the repository root.
@edoardopirovano
Copy link
Contributor

Greetings, many thanks for getting in touch with this question. That is indeed what the source-root option will do, and it is almost certainly not the option you want to be using. Is your goal to only scan files in the packages/react folder? If so, I would recommend using the paths property of the configuration file as documented here.

In particular, you'll want to make a file called ./.github/codeql/codeql-config.yml (or add to your exist one if you already have it) that contains:

paths:
  - packages/react

Then, in your init step do:

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ inputs.languages }}
        config-file: ./.github/codeql/codeql-config.yml

I hope that's helpful! Do let me know if that works for you or if you have any further questions.

@meriouma
Copy link
Author

Thank you @edoardopirovano. This makes sense.
I was hoping to be able to pass the paths to scan as an input to the init action, as I have multiple folders that I wanted to scan individually with a different category. As a workaround I am now writing the config file in the action to output the path based on the inputs.working-directory I am passing.

@edoardopirovano
Copy link
Contributor

Aha, I see. That is an interesting use case that we don't have an easy path for. Your workaround sounds reasonable, and is what I would've suggested too. We'll certainly keep your scenario in mind if we ever do a major reshuffle of how these parameters are configured!

cc. @aeisenberg as the above is likely to be of interest to you.

@aeisenberg aeisenberg added the enhancement New feature or request label Jul 20, 2022
@aeisenberg
Copy link
Contributor

Thanks for the issue. I think the feature you want is to be able to pass the paths and paths-ignore config options as action inputs. This is straightforward enough to do. It's not on our roadmap right now and if we get any more requests for a feature like this, we will consider it. Though, it sounds like you have a reasonable workaround.

@meriouma meriouma mentioned this issue Jul 20, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aeisenberg @meriouma @edoardopirovano and others